Hello community,

here is the log from the commit of package rubygem-loofah for openSUSE:Factory 
checked in at 2018-02-20 17:56:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-loofah (Old)
 and      /work/SRC/openSUSE:Factory/.rubygem-loofah.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rubygem-loofah"

Tue Feb 20 17:56:02 2018 rev:5 rq:578226 version:2.2.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-loofah/rubygem-loofah.changes    
2017-12-07 13:51:13.574977140 +0100
+++ /work/SRC/openSUSE:Factory/.rubygem-loofah.new/rubygem-loofah.changes       
2018-02-20 17:56:07.676190228 +0100
@@ -1,0 +2,22 @@
+Thu Feb 15 14:13:37 UTC 2018 - mrueck...@suse.de
+
+- also set a description again
+
+-------------------------------------------------------------------
+Mon Feb 12 10:11:44 UTC 2018 - bgeu...@suse.com
+
+- Update to version 2.2.0
+
+  Features:
+
+  * Support HTML5 <main> tag. #133 (Thanks, @MothOnMars!)
+  * Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
+  * Support SVG <symbol> tag. #131 (Thanks, @baopham!)
+  * Support for whitelisting CSS functions, initially just calc and rgb. 
#122/#123/#129 (Thanks, @NikoRoberts!)
+  * Whitelist CSS property list-style-type. #68/#137/#142 (Thanks, 
@andela-ysanni and @NikoRoberts!)
+
+  Bugfixes:
+
+  * Properly handle nested script tags. #127.
+
+-------------------------------------------------------------------

Old:
----
  loofah-2.1.1.gem

New:
----
  loofah-2.2.0.gem

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rubygem-loofah.spec ++++++
--- /var/tmp/diff_new_pack.EPeYAs/_old  2018-02-20 17:56:08.932145006 +0100
+++ /var/tmp/diff_new_pack.EPeYAs/_new  2018-02-20 17:56:08.944144574 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package rubygem-loofah
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,41 +24,34 @@
 #
 
 Name:           rubygem-loofah
-Version:        2.1.1
+Version:        2.2.0
 Release:        0
 %define mod_name loofah
 %define mod_full_name %{mod_name}-%{version}
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildRequires:  ruby-macros >= 5
+BuildRequires:  %{ruby}
 BuildRequires:  %{rubygem gem2rpm}
 BuildRequires:  %{rubygem rdoc > 3.10}
-BuildRequires:  %{ruby}
-BuildRequires:  ruby-macros >= 5
-Url:            https://github.com/flavorjones/loofah
 Source:         https://rubygems.org/gems/%{mod_full_name}.gem
 Source1:        gem2rpm.yml
-Summary:        Loofah is a general library for manipulating and transforming
+Summary:        HTML/XML manipulation and sanitization based on Nokogiri
 License:        MIT
 Group:          Development/Languages/Ruby
 
 %description
-Loofah is a general library for manipulating and transforming HTML/XML
-documents and fragments. It's built on top of Nokogiri and libxml2, so
-it's fast and has a nice API.
-Loofah excels at HTML sanitization (XSS prevention). It includes some
-nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
-most likely won't make your codes less secure. (These statements have
-not been evaluated by Netexperts.)
-ActiveRecord extensions for sanitization are available in the
-`loofah-activerecord` gem (see
-https://github.com/flavorjones/loofah-activerecord).
+Loofah is a general library for manipulating and transforming HTML/XML 
documents and fragments.
+It's built on top of Nokogiri and libxml2, so it's fast and has a nice API.
 
+Loofah excels at HTML sanitization (XSS prevention). It includes some nice 
HTML sanitizers,
+which are based on HTML5lib's whitelist, so it most likely won't make your 
codes less secure.
 %prep
 
 %build
 
 %install
 %gem_install \
-  --doc-files="CHANGELOG.md MIT-LICENSE.txt README.rdoc" \
+  --doc-files="CHANGELOG.md MIT-LICENSE.txt README.md" \
   -f
 
 %gem_packages

++++++ gem2rpm.yml ++++++
--- /var/tmp/diff_new_pack.EPeYAs/_old  2018-02-20 17:56:09.008142269 +0100
+++ /var/tmp/diff_new_pack.EPeYAs/_new  2018-02-20 17:56:09.008142269 +0100
@@ -1,11 +1,13 @@
 # ---
 # ## used by gem2rpm
-# :summary: this is a custom summary
+:summary: HTML/XML manipulation and sanitization based on Nokogiri
 # ## used by gem2rpm
-# :description: |-
-#   this is a custom description
-#
-#   it can be multiline
+:description: |-
+ Loofah is a general library for manipulating and transforming HTML/XML 
documents and fragments.
+ It's built on top of Nokogiri and libxml2, so it's fast and has a nice API.
+
+ Loofah excels at HTML sanitization (XSS prevention). It includes some nice 
HTML sanitizers,
+ which are based on HTML5lib's whitelist, so it most likely won't make your 
codes less secure.
 # ## used by gem2rpm
 # :license: MIT or Ruby
 # ## used by gem2rpm and gem_packages

++++++ loofah-2.1.1.gem -> loofah-2.2.0.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/CHANGELOG.md new/CHANGELOG.md
--- old/CHANGELOG.md    2017-09-25 03:11:14.000000000 +0200
+++ new/CHANGELOG.md    2018-02-11 23:23:01.000000000 +0100
@@ -1,5 +1,20 @@
 # Changelog
 
+## 2.2.0 / 2018-02-11
+
+Features:
+
+* Support HTML5 `<main>` tag. #133 (Thanks, @MothOnMars!)
+* Recognize HTML5 block elements. #136 (Thanks, @MothOnMars!)
+* Support SVG `<symbol>` tag. #131 (Thanks, @baopham!)
+* Support for whitelisting CSS functions, initially just `calc` and `rgb`. 
#122/#123/#129 (Thanks, @NikoRoberts!)
+* Whitelist CSS property `list-style-type`. #68/#137/#142 (Thanks, 
@andela-ysanni and @NikoRoberts!)
+
+Bugfixes:
+
+* Properly handle nested `script` tags. #127.
+
+
 ## 2.1.1 / 2017-09-24
 
 Bugfixes:
@@ -11,7 +26,7 @@
 
 Notes:
 
-* Re-implemented CSS parsing and sanitization using the 
{crass}[https://github.com/rgrove/crass] library. #91
+* Re-implemented CSS parsing and sanitization using the 
[crass](https://github.com/rgrove/crass) library. #91
 
 
 Features:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Gemfile new/Gemfile
--- old/Gemfile 2017-09-25 03:11:14.000000000 +0200
+++ new/Gemfile 2018-02-11 23:23:01.000000000 +0100
@@ -15,7 +15,7 @@
 gem "hoe-debugging", ">=0", :group => [:development, :test]
 gem "hoe-bundler", ">=0", :group => [:development, :test]
 gem "hoe-git", ">=0", :group => [:development, :test]
-gem "concourse", ">=0.14.0", :group => [:development, :test]
+gem "concourse", ">=0.15.0", :group => [:development, :test]
 gem "rdoc", "~>4.0", :group => [:development, :test]
 gem "hoe", "~>3.16", :group => [:development, :test]
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/MIT-LICENSE.txt new/MIT-LICENSE.txt
--- old/MIT-LICENSE.txt 2017-09-25 03:11:14.000000000 +0200
+++ new/MIT-LICENSE.txt 2018-02-11 23:23:01.000000000 +0100
@@ -2,7 +2,7 @@
 
 The MIT License
 
-Copyright (c) 2009 -- 2014 by Mike Dalessio, Bryan Helmkamp
+Copyright (c) 2009 -- 2018 by Mike Dalessio, Bryan Helmkamp
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Manifest.txt new/Manifest.txt
--- old/Manifest.txt    2017-09-25 03:11:14.000000000 +0200
+++ new/Manifest.txt    2018-02-11 23:23:01.000000000 +0100
@@ -3,7 +3,7 @@
 Gemfile
 MIT-LICENSE.txt
 Manifest.txt
-README.rdoc
+README.md
 Rakefile
 benchmark/benchmark.rb
 benchmark/fragment.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md       1970-01-01 01:00:00.000000000 +0100
+++ new/README.md       2018-02-11 23:23:01.000000000 +0100
@@ -0,0 +1,361 @@
+# Loofah
+
+* https://github.com/flavorjones/loofah
+* http://rubydoc.info/github/flavorjones/loofah/master/frames
+* http://librelist.com/browser/loofah
+
+## Status
+
+|System|Status|
+|--|--|
+| Concourse | [![Concourse 
CI](https://ci.nokogiri.org/api/v1/teams/nokogiri-core/pipelines/loofah/jobs/ruby-2.5/badge)](https://ci.nokogiri.org/teams/nokogiri-core/pipelines/loofah?groups=master)
 |
+| Code Climate | [![Code 
Climate](https://codeclimate.com/github/flavorjones/loofah.svg)](https://codeclimate.com/github/flavorjones/loofah)
 |
+| Version Eye | [![Version 
Eye](https://www.versioneye.com/ruby/loofah/badge.png)](https://www.versioneye.com/ruby/loofah)
 |
+
+
+## Description
+
+Loofah is a general library for manipulating and transforming HTML/XML
+documents and fragments. It's built on top of Nokogiri and libxml2, so
+it's fast and has a nice API.
+
+Loofah excels at HTML sanitization (XSS prevention). It includes some
+nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
+most likely won't make your codes less secure. (These statements have
+not been evaluated by Netexperts.)
+
+ActiveRecord extensions for sanitization are available in the
+[`loofah-activerecord` 
gem](https://github.com/flavorjones/loofah-activerecord).
+
+
+## Features
+
+* Easily write custom scrubbers for HTML/XML leveraging the sweetness of 
Nokogiri (and HTML5lib's whitelists).
+* Common HTML sanitizing tasks are built-in:
+  * _Strip_ unsafe tags, leaving behind only the inner text.
+  * _Prune_ unsafe tags and their subtrees, removing all traces that they ever 
existed.
+  * _Escape_ unsafe tags and their subtrees, leaving behind lots of 
<tt>&lt;</tt> and <tt>&gt;</tt> entities.
+  * _Whitewash_ the markup, removing all attributes and namespaced nodes.
+* Common HTML transformation tasks are built-in:
+  * Add the _nofollow_ attribute to all hyperlinks.
+* Format markup as plain text, with or without sensible whitespace handling 
around block elements.
+* Replace Rails's `strip_tags` and `sanitize` view helper methods.
+
+
+## Compare and Contrast
+
+Loofah is one of two known Ruby XSS/sanitization solutions that
+guarantees well-formed and valid markup (the other is Sanitize, which
+also uses Nokogiri).
+
+Loofah works on XML, XHTML and HTML documents.
+
+Also, it's pretty fast. Here is a benchmark comparing Loofah to other
+commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter):
+
+* https://gist.github.com/170193
+
+Lastly, Loofah is extensible. It's super-easy to write your own custom
+scrubbers for whatever document manipulation you need. You don't like
+the built-in scrubbers? Build your own, like a boss.
+
+
+## The Basics
+
+Loofah wraps [Nokogiri](http://nokogiri.org) in a loving
+embrace. Nokogiri is an excellent HTML/XML parser. If you don't know
+how Nokogiri works, you might want to pause for a moment and go check
+it out. I'll wait.
+
+Loofah presents the following classes:
+
+* `Loofah::HTML::Document` and `Loofah::HTML::DocumentFragment`
+* `Loofah::XML::Document` and `Loofah::XML::DocumentFragment`
+* `Loofah::Scrubber`
+
+The documents and fragments are subclasses of the similar Nokogiri classes.
+
+The Scrubber represents the document manipulation, either by wrapping
+a block,
+
+``` ruby
+span2div = Loofah::Scrubber.new do |node|
+  node.name = "div" if node.name == "span"
+end
+```
+
+or by implementing a method.
+
+
+### Side Note: Fragments vs Documents
+
+Generally speaking, unless you expect to have a DOCTYPE and a single
+root node, you don't have a *document*, you have a *fragment*. For
+HTML, another rule of thumb is that *documents* have `html` and `body`
+tags, and *fragments* usually do not.
+
+HTML fragments should be parsed with Loofah.fragment. The result won't
+be wrapped in `html` or `body` tags, won't have a DOCTYPE declaration,
+`head` elements will be silently ignored, and multiple root nodes are
+allowed.
+
+XML fragments should be parsed with Loofah.xml_fragment. The result
+won't have a DOCTYPE declaration, and multiple root nodes are allowed.
+
+HTML documents should be parsed with Loofah.document. The result will
+have a DOCTYPE declaration, along with `html`, `head` and `body` tags.
+
+XML documents should be parsed with Loofah.xml_document. The result
+will have a DOCTYPE declaration and a single root node.
+
+
+### Loofah::HTML::Document and Loofah::HTML::DocumentFragment
+
+These classes are subclasses of Nokogiri::HTML::Document and
+Nokogiri::HTML::DocumentFragment, so you get all the markup
+fixer-uppery and API goodness of Nokogiri.
+
+The module methods Loofah.document and Loofah.fragment will parse an
+HTML document and an HTML fragment, respectively.
+
+``` ruby
+Loofah.document(unsafe_html).is_a?(Nokogiri::HTML::Document)         # => true
+Loofah.fragment(unsafe_html).is_a?(Nokogiri::HTML::DocumentFragment) # => true
+```
+
+Loofah injects a `scrub!` method, which takes either a symbol (for
+built-in scrubbers) or a Loofah::Scrubber object (for custom
+scrubbers), and modifies the document in-place.
+
+Loofah overrides `to_s` to return HTML:
+
+``` ruby
+unsafe_html = "ohai! <div>div is safe</div> <script>but script is not</script>"
+
+doc = Loofah.fragment(unsafe_html).scrub!(:prune)
+doc.to_s    # => "ohai! <div>div is safe</div> "
+```
+
+and `text` to return plain text:
+
+``` ruby
+doc.text    # => "ohai! div is safe "
+```
+
+Also, `to_text` is available, which does the right thing with
+whitespace around block-level elements.
+
+``` ruby
+doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
+doc.text    # => "TitleContent"           # probably not what you want
+doc.to_text # => "\nTitle\n\nContent\n"   # better
+```
+
+### Loofah::XML::Document and Loofah::XML::DocumentFragment
+
+These classes are subclasses of Nokogiri::XML::Document and
+Nokogiri::XML::DocumentFragment, so you get all the markup
+fixer-uppery and API goodness of Nokogiri.
+
+The module methods Loofah.xml_document and Loofah.xml_fragment will
+parse an XML document and an XML fragment, respectively.
+
+``` ruby
+Loofah.xml_document(bad_xml).is_a?(Nokogiri::XML::Document)         # => true
+Loofah.xml_fragment(bad_xml).is_a?(Nokogiri::XML::DocumentFragment) # => true
+```
+
+### Nodes and NodeSets
+
+Nokogiri::XML::Node and Nokogiri::XML::NodeSet also get a `scrub!`
+method, which makes it easy to scrub subtrees.
+
+The following code will apply the `employee_scrubber` only to the
+`employee` nodes (and their subtrees) in the document:
+
+``` ruby
+Loofah.xml_document(bad_xml).xpath("//employee").scrub!(employee_scrubber)
+```
+
+And this code will only scrub the first `employee` node and its subtree:
+
+``` ruby
+Loofah.xml_document(bad_xml).at_xpath("//employee").scrub!(employee_scrubber)
+```
+
+### Loofah::Scrubber
+
+A Scrubber wraps up a block (or method) that is run on a document node:
+
+``` ruby
+# change all <span> tags to <div> tags
+span2div = Loofah::Scrubber.new do |node|
+  node.name = "div" if node.name == "span"
+end
+```
+
+This can then be run on a document:
+
+``` ruby
+Loofah.fragment("<span>foo</span><p>bar</p>").scrub!(span2div).to_s
+# => "<div>foo</div><p>bar</p>"
+```
+
+Scrubbers can be run on a document in either a top-down traversal (the
+default) or bottom-up. Top-down scrubbers can optionally return
+Scrubber::STOP to terminate the traversal of a subtree. Read below and
+in the Loofah::Scrubber class for more detailed usage.
+
+Here's an XML example:
+
+``` ruby
+# remove all <employee> tags that have a "deceased" attribute set to true
+bring_out_your_dead = Loofah::Scrubber.new do |node|
+  if node.name == "employee" and node["deceased"] == "true"
+    node.remove
+    Loofah::Scrubber::STOP # don't bother with the rest of the subtree
+  end
+end
+Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
+```
+
+=== Built-In HTML Scrubbers
+
+Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
+whitelist algorithm:
+
+``` ruby
+doc.scrub!(:strip)       # replaces unknown/unsafe tags with their inner text
+doc.scrub!(:prune)       #  removes unknown/unsafe tags and their children
+doc.scrub!(:escape)      #  escapes unknown/unsafe tags, like this: 
&lt;script&gt;
+doc.scrub!(:whitewash)   #  removes unknown/unsafe/namespaced tags and their 
children,
+                         #          and strips all node attributes
+```
+
+Loofah also comes with some common transformation tasks: 
+
+``` ruby
+doc.scrub!(:nofollow)    #     adds rel="nofollow" attribute to links
+doc.scrub!(:unprintable) #  removes unprintable characters from text nodes
+```
+
+See Loofah::Scrubbers for more details and example usage.
+
+
+### Chaining Scrubbers
+
+You can chain scrubbers:
+
+``` ruby
+Loofah.fragment("<span>hello</span> <script>alert('OHAI')</script>") \
+      .scrub!(:prune) \
+      .scrub!(span2div).to_s
+# => "<div>hello</div> "
+```
+
+### Shorthand
+
+The class methods Loofah.scrub_fragment and Loofah.scrub_document are
+shorthand.
+
+``` ruby
+Loofah.scrub_fragment(unsafe_html, :prune)
+Loofah.scrub_document(unsafe_html, :prune)
+Loofah.scrub_xml_fragment(bad_xml, custom_scrubber)
+Loofah.scrub_xml_document(bad_xml, custom_scrubber)
+```
+
+are the same thing as (and arguably semantically clearer than):
+
+``` ruby
+Loofah.fragment(unsafe_html).scrub!(:prune)
+Loofah.document(unsafe_html).scrub!(:prune)
+Loofah.xml_fragment(bad_xml).scrub!(custom_scrubber)
+Loofah.xml_document(bad_xml).scrub!(custom_scrubber)
+```
+
+
+### View Helpers
+
+Loofah has two "view helpers": Loofah::Helpers.sanitize and
+Loofah::Helpers.strip_tags, both of which are drop-in replacements for
+the Rails ActionView helpers of the same name.
+These are no longer required automatically. You must require `loofah/helpers`. 
+
+
+## Requirements
+
+* Nokogiri >= 1.5.9
+
+
+## Installation
+
+Unsurprisingly:
+
+* gem install loofah
+
+
+## Support
+
+The bug tracker is available here:
+
+* https://github.com/flavorjones/loofah/issues
+
+And the mailing list is on librelist:
+
+* loo...@librelist.com / http://librelist.com
+
+And the IRC channel is \#loofah on freenode.
+
+
+## Security
+
+Some tools may incorrectly report loofah is a potential security
+vulnerability. Loofah depends on Nokogiri, and it's possible to use
+Nokogiri in a dangerous way (by enabling its DTDLOAD option and
+disabling its NONET option).  This dangerous Nokogiri configuration,
+which is sometimes used by other components, can create an XML
+External Entity (XXE) vulnerability if the XML data is not trusted.
+However, loofah never enables this dangerous Nokogiri configuration;
+loofah never enables DTDLOAD, and it never disables NONET.
+
+
+## Related Links
+
+* Nokogiri: http://nokogiri.org
+* libxml2: http://xmlsoft.org
+* html5lib: https://code.google.com/p/html5lib
+
+
+## Authors
+
+* [Mike Dalessio](http://mike.daless.io) 
([@flavorjones](https://twitter.com/flavorjones))
+* Bryan Helmkamp
+
+Featuring code contributed by:
+
+* Aaron Patterson
+* John Barnette
+* Josh Owens
+* Paul Dix
+* Luke Melia
+
+And a big shout-out to Corey Innis for the name, and feedback on the API.
+
+
+## Thank You
+
+The following people have generously donated via the 
Pledgie[http://pledgie.com] badge on the {Loofah github 
page}[https://github.com/flavorjones/loofah]:
+
+* Bill Harding
+
+
+## Historical Note
+
+This library was formerly known as Dryopteris, which was a very bad
+name that nobody could spell properly.
+
+
+## License
+
+Distributed under the MIT License. See `MIT-LICENSE.txt` for details.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/README.rdoc new/README.rdoc
--- old/README.rdoc     2017-09-25 03:11:14.000000000 +0200
+++ new/README.rdoc     1970-01-01 01:00:00.000000000 +0100
@@ -1,314 +0,0 @@
-= Loofah {<img 
src="https://travis-ci.org/flavorjones/loofah.svg?branch=master"; alt="Build 
Status" />}[https://travis-ci.org/flavorjones/loofah]
-
-* https://github.com/flavorjones/loofah
-* http://rubydoc.info/github/flavorjones/loofah/master/frames
-* http://librelist.com/browser/loofah
-
-== Description
-
-Loofah is a general library for manipulating and transforming HTML/XML
-documents and fragments. It's built on top of Nokogiri and libxml2, so
-it's fast and has a nice API.
-
-Loofah excels at HTML sanitization (XSS prevention). It includes some
-nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
-most likely won't make your codes less secure. (These statements have
-not been evaluated by Netexperts.)
-
-ActiveRecord extensions for sanitization are available in the
-`loofah-activerecord` gem (see
-https://github.com/flavorjones/loofah-activerecord).
-
-== Features
-
-* Easily write custom scrubbers for HTML/XML leveraging the sweetness of 
Nokogiri (and HTML5lib's whitelists).
-* Common HTML sanitizing tasks are built-in:
-  * _Strip_ unsafe tags, leaving behind only the inner text.
-  * _Prune_ unsafe tags and their subtrees, removing all traces that they ever 
existed.
-  * _Escape_ unsafe tags and their subtrees, leaving behind lots of 
<tt>&lt;</tt> and <tt>&gt;</tt> entities.
-  * _Whitewash_ the markup, removing all attributes and namespaced nodes.
-* Common HTML transformation tasks are built-in:
-  * Add the _nofollow_ attribute to all hyperlinks.
-* Format markup as plain text, with or without sensible whitespace handling 
around block elements.
-* Replace Rails's +strip_tags+ and +sanitize+ view helper methods.
-
-== Compare and Contrast
-
-Loofah is one of two known Ruby XSS/sanitization solutions that
-guarantees well-formed and valid markup (the other is Sanitize, which
-also uses Nokogiri).
-
-Loofah works on XML, XHTML and HTML documents.
-
-Also, it's pretty fast. Here is a benchmark comparing Loofah to other
-commonly-used libraries (ActionView, Sanitize, HTML5lib and HTMLfilter):
-
-* https://gist.github.com/170193
-
-Lastly, Loofah is extensible. It's super-easy to write your own custom
-scrubbers for whatever document manipulation you need. You don't like
-the built-in scrubbers? Build your own, like a boss.
-
-== The Basics
-
-Loofah wraps Nokogiri[http://nokogiri.org] in a loving
-embrace. Nokogiri[http://nokogiri.org] is an excellent HTML/XML
-parser. If you don't know how Nokogiri[http://nokogiri.org] works, you
-might want to pause for a moment and go check it out. I'll wait.
-
-Loofah presents the following classes:
-
-* Loofah::HTML::Document and Loofah::HTML::DocumentFragment
-* Loofah::XML::Document and Loofah::XML::DocumentFragment
-* Loofah::Scrubber
-
-The documents and fragments are subclasses of the similar Nokogiri classes.
-
-The Scrubber represents the document manipulation, either by wrapping
-a block,
-
-  span2div = Loofah::Scrubber.new do |node|
-    node.name = "div" if node.name == "span"
-  end
-
-or by implementing a method.
-
-=== Side Note: Fragments vs Documents
-
-Generally speaking, unless you expect to have a DOCTYPE and a single
-root node, you don't have a *document*, you have a *fragment*. For
-HTML, another rule of thumb is that *documents* have +html+ and +body+
-tags, and *fragments* usually do not.
-
-HTML fragments should be parsed with Loofah.fragment. The result won't
-be wrapped in +html+ or +body+ tags, won't have a DOCTYPE declaration,
-+head+ elements will be silently ignored, and multiple root nodes are
-allowed.
-
-XML fragments should be parsed with Loofah.xml_fragment. The result
-won't have a DOCTYPE declaration, and multiple root nodes are allowed.
-
-HTML documents should be parsed with Loofah.document. The result will
-have a DOCTYPE declaration, along with +html+, +head+ and +body+ tags.
-
-XML documents should be parsed with Loofah.xml_document. The result
-will have a DOCTYPE declaration and a single root node.
-
-=== Loofah::HTML::Document and Loofah::HTML::DocumentFragment
-
-These classes are subclasses of Nokogiri::HTML::Document and
-Nokogiri::HTML::DocumentFragment, so you get all the markup
-fixer-uppery and API goodness of Nokogiri.
-
-The module methods Loofah.document and Loofah.fragment will parse an
-HTML document and an HTML fragment, respectively.
-
-  Loofah.document(unsafe_html).is_a?(Nokogiri::HTML::Document)         # => 
true
-  Loofah.fragment(unsafe_html).is_a?(Nokogiri::HTML::DocumentFragment) # => 
true
-
-Loofah injects a +scrub!+ method, which takes either a symbol (for
-built-in scrubbers) or a Loofah::Scrubber object (for custom
-scrubbers), and modifies the document in-place.
-
-Loofah overrides +to_s+ to return HTML:
-
-  unsafe_html = "ohai! <div>div is safe</div> <script>but script is 
not</script>"
-
-  doc = Loofah.fragment(unsafe_html).scrub!(:strip)
-  doc.to_s    # => "ohai! <div>div is safe</div> "
-
-and +text+ to return plain text:
-
-  doc.text    # => "ohai! div is safe "
-
-Also, +to_text+ is available, which does the right thing with
-whitespace around block-level elements.
-
-  doc = Loofah.fragment("<h1>Title</h1><div>Content</div>")
-  doc.text    # => "TitleContent"           # probably not what you want
-  doc.to_text # => "\nTitle\n\nContent\n"   # better
-
-=== Loofah::XML::Document and Loofah::XML::DocumentFragment
-
-These classes are subclasses of Nokogiri::XML::Document and
-Nokogiri::XML::DocumentFragment, so you get all the markup
-fixer-uppery and API goodness of Nokogiri.
-
-The module methods Loofah.xml_document and Loofah.xml_fragment will
-parse an XML document and an XML fragment, respectively.
-
-  Loofah.xml_document(bad_xml).is_a?(Nokogiri::XML::Document)         # => true
-  Loofah.xml_fragment(bad_xml).is_a?(Nokogiri::XML::DocumentFragment) # => true
-
-=== Nodes and NodeSets
-
-Nokogiri::XML::Node and Nokogiri::XML::NodeSet also get a +scrub!+
-method, which makes it easy to scrub subtrees.
-
-The following code will apply the +employee_scrubber+ only to the
-+employee+ nodes (and their subtrees) in the document:
-
-  Loofah.xml_document(bad_xml).xpath("//employee").scrub!(employee_scrubber)
-
-And this code will only scrub the first +employee+ node and its subtree:
-
-  Loofah.xml_document(bad_xml).at_xpath("//employee").scrub!(employee_scrubber)
-
-=== Loofah::Scrubber
-
-A Scrubber wraps up a block (or method) that is run on a document node:
-
-  # change all <span> tags to <div> tags
-  span2div = Loofah::Scrubber.new do |node|
-    node.name = "div" if node.name == "span"
-  end
-
-This can then be run on a document:
-
-  Loofah.fragment("<span>foo</span><p>bar</p>").scrub!(span2div).to_s
-  # => "<div>foo</div><p>bar</p>"
-
-Scrubbers can be run on a document in either a top-down traversal (the
-default) or bottom-up. Top-down scrubbers can optionally return
-Scrubber::STOP to terminate the traversal of a subtree. Read below and
-in the Loofah::Scrubber class for more detailed usage.
-
-Here's an XML example:
-
-  # remove all <employee> tags that have a "deceased" attribute set to true
-  bring_out_your_dead = Loofah::Scrubber.new do |node|
-    if node.name == "employee" and node["deceased"] == "true"
-      node.remove
-      Loofah::Scrubber::STOP # don't bother with the rest of the subtree
-    end
-  end
-  Loofah.xml_document(File.read('plague.xml')).scrub!(bring_out_your_dead)
-
-=== Built-In HTML Scrubbers
-
-Loofah comes with a set of sanitizing scrubbers that use HTML5lib's
-whitelist algorithm:
-
-  doc.scrub!(:strip)       # replaces unknown/unsafe tags with their inner text
-  doc.scrub!(:prune)       #  removes unknown/unsafe tags and their children
-  doc.scrub!(:escape)      #  escapes unknown/unsafe tags, like this: 
&lt;script&gt;
-  doc.scrub!(:whitewash)   #  removes unknown/unsafe/namespaced tags and their 
children,
-                           #          and strips all node attributes
-
-Loofah also comes with some common transformation tasks: 
-
-  doc.scrub!(:nofollow)    #     adds rel="nofollow" attribute to links
-  doc.scrub!(:unprintable) #  removes unprintable characters from text nodes
-
-See Loofah::Scrubbers for more details and example usage.
-
-=== Chaining Scrubbers
-
-You can chain scrubbers:
-
-  Loofah.fragment("<span>hello</span> <script>alert('OHAI')</script>") \
-        .scrub!(:prune) \
-        .scrub!(span2div).to_s
-  # => "<div>hello</div> "
-
-=== Shorthand
-
-The class methods Loofah.scrub_fragment and Loofah.scrub_document are
-shorthand.
-
-  Loofah.scrub_fragment(unsafe_html, :prune)
-  Loofah.scrub_document(unsafe_html, :prune)
-  Loofah.scrub_xml_fragment(bad_xml, custom_scrubber)
-  Loofah.scrub_xml_document(bad_xml, custom_scrubber)
-
-are the same thing as (and arguably semantically clearer than):
-
-  Loofah.fragment(unsafe_html).scrub!(:prune)
-  Loofah.document(unsafe_html).scrub!(:prune)
-  Loofah.xml_fragment(bad_xml).scrub!(custom_scrubber)
-  Loofah.xml_document(bad_xml).scrub!(custom_scrubber)
-
-=== View Helpers
-
-Loofah has two "view helpers": Loofah::Helpers.sanitize and
-Loofah::Helpers.strip_tags, both of which are drop-in replacements for
-the Rails ActionView helpers of the same name.
-These are no longer required automatically. You must require `loofah/helpers`. 
-
-== Requirements
-
-* Nokogiri >= 1.4.4
-
-== Installation
-
-Unsurprisingly:
-
-* gem install loofah
-
-== Support
-
-The bug tracker is available here:
-
-* https://github.com/flavorjones/loofah/issues
-
-And the mailing list is on librelist:
-
-* loo...@librelist.com / http://librelist.com
-
-And the IRC channel is \#loofah on freenode.
-
-== Related Links
-
-* Nokogiri: http://nokogiri.org
-* libxml2: http://xmlsoft.org
-* html5lib: https://code.google.com/p/html5lib
-
-== Authors
-
-* {Mike Dalessio}[http://mike.daless.io] 
(@flavorjones[https://twitter.com/flavorjones])
-* Bryan Helmkamp
-
-Featuring code contributed by:
-
-* Aaron Patterson
-* John Barnette
-* Josh Owens
-* Paul Dix
-* Luke Melia
-
-And a big shout-out to Corey Innis for the name, and feedback on the API.
-
-== Thank You
-
-The following people have generously donated via the 
Pledgie[http://pledgie.com] badge on the {Loofah github 
page}[https://github.com/flavorjones/loofah]:
-
-* Bill Harding
-
-== Historical Note
-
-This library was formerly known as Dryopteris, which was a very bad
-name that nobody could spell properly.
-
-== License
-
-The MIT License
-
-Copyright (c) 2009 -- 2014 by Mike Dalessio, Bryan Helmkamp
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Rakefile new/Rakefile
--- old/Rakefile        2017-09-25 03:11:14.000000000 +0200
+++ new/Rakefile        2018-02-11 23:23:01.000000000 +0100
@@ -28,7 +28,7 @@
   extra_dev_deps << ["hoe-debugging", ">=0"]
   extra_dev_deps << ["hoe-bundler", ">=0"]
   extra_dev_deps << ["hoe-git", ">=0"]
-  extra_dev_deps << ["concourse", ">=0.14.0"]
+  extra_dev_deps << ["concourse", ">=0.15.0"]
 end
 
 task :gemspec do
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/loofah/elements.rb new/lib/loofah/elements.rb
--- old/lib/loofah/elements.rb  2017-09-25 03:11:14.000000000 +0200
+++ new/lib/loofah/elements.rb  2018-02-11 23:23:01.000000000 +0100
@@ -2,13 +2,88 @@
 
 module Loofah
   module Elements
-    # Block elements in HTML4
-    STRICT_BLOCK_LEVEL = Set.new %w[address blockquote center dir div dl
-      fieldset form h1 h2 h3 h4 h5 h6 hr isindex menu noframes
-      noscript ol p pre table ul]
+    STRICT_BLOCK_LEVEL_HTML4 = Set.new %w[
+      address
+      blockquote
+      center
+      dir
+      div
+      dl
+      fieldset
+      form
+      h1
+      h2
+      h3
+      h4
+      h5
+      h6
+      hr
+      isindex
+      menu
+      noframes
+      noscript
+      ol
+      p
+      pre
+      table
+      ul
+    ]
 
-    # The following elements may also be considered block-level elements since 
they may contain block-level elements
-    LOOSE_BLOCK_LEVEL = Set.new %w[dd dt frameset li tbody td tfoot th thead 
tr]
+    # https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
+    STRICT_BLOCK_LEVEL_HTML5 = Set.new %w[
+      address
+      article
+      aside
+      blockquote
+      canvas
+      dd
+      div
+      dl
+      dt
+      fieldset
+      figcaption
+      figure
+      footer
+      form
+      h1
+      h2
+      h3
+      h4
+      h5
+      h6
+      header
+      hgroup
+      hr
+      li
+      main
+      nav
+      noscript
+      ol
+      output
+      p
+      pre
+      section
+      table
+      tfoot
+      ul
+      video
+    ]
+
+    STRICT_BLOCK_LEVEL = STRICT_BLOCK_LEVEL_HTML4 + STRICT_BLOCK_LEVEL_HTML5
+
+    # The following elements may also be considered block-level
+    # elements since they may contain block-level elements
+    LOOSE_BLOCK_LEVEL = Set.new %w[dd
+      dt
+      frameset
+      li
+      tbody
+      td
+      tfoot
+      th
+      thead
+      tr
+    ]
 
     BLOCK_LEVEL = STRICT_BLOCK_LEVEL + LOOSE_BLOCK_LEVEL
   end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/loofah/html5/scrub.rb 
new/lib/loofah/html5/scrub.rb
--- old/lib/loofah/html5/scrub.rb       2017-09-25 03:11:14.000000000 +0200
+++ new/lib/loofah/html5/scrub.rb       2018-02-11 23:23:01.000000000 +0100
@@ -79,7 +79,7 @@
           style_tree.each do |node|
             next unless node[:node] == :property
             next if node[:children].any? do |child|
-              [:url, :bad_url, :function].include? child[:node]
+              [:url, :bad_url].include?(child[:node]) || (child[:node] == 
:function && !WhiteList::ALLOWED_CSS_FUNCTIONS.include?(child[:name].downcase))
             end
             name = node[:name].downcase
             if WhiteList::ALLOWED_CSS_PROPERTIES.include?(name) || 
WhiteList::ALLOWED_SVG_PROPERTIES.include?(name)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/loofah/html5/whitelist.rb 
new/lib/loofah/html5/whitelist.rb
--- old/lib/loofah/html5/whitelist.rb   2017-09-25 03:11:14.000000000 +0200
+++ new/lib/loofah/html5/whitelist.rb   2018-02-11 23:23:01.000000000 +0100
@@ -51,7 +51,7 @@
       caption center cite code col colgroup command datalist dd del
       details dfn dir div dl dt em fieldset figcaption figure footer
       font form h1 h2 h3 h4 h5 h6 header hr i img input ins kbd label
-      legend li map mark menu meter nav ol output optgroup option p
+      legend li main map mark menu meter nav ol output optgroup option p
       pre q s samp section select small span strike strong sub summary
       sup table tbody td textarea tfoot th thead time tr tt u ul var
       video]
@@ -65,7 +65,7 @@
       circle clipPath defs desc ellipse feGaussianBlur filter font-face
       font-face-name font-face-src foreignObject
       g glyph hkern linearGradient line marker mask metadata missing-glyph
-      mpath path polygon polyline radialGradient rect set stop svg switch
+      mpath path polygon polyline radialGradient rect set stop svg switch 
symbol
       text textPath title tspan use]
 
       ACCEPTABLE_ATTRIBUTES = Set.new %w[abbr accept accept-charset accesskey 
action
@@ -125,8 +125,8 @@
       border-bottom-color border-collapse border-color border-left-color
       border-right-color border-top-color clear color cursor direction
       display elevation float font font-family font-size font-style
-      font-variant font-weight height letter-spacing line-height overflow
-      pause pause-after pause-before pitch pitch-range richness speak
+      font-variant font-weight height letter-spacing line-height 
list-style-type
+      overflow pause pause-after pause-before pitch pitch-range richness speak
       speak-header speak-numeral speak-punctuation speech-rate stress
       text-align text-decoration text-indent unicode-bidi vertical-align
       voice-family volume white-space width]
@@ -137,6 +137,8 @@
       purple red right solid silver teal top transparent underline white
       yellow]
 
+      ACCEPTABLE_CSS_FUNCTIONS = Set.new %w[calc rgb]
+
       SHORTHAND_CSS_PROPERTIES = Set.new %w[background border margin padding]
 
       ACCEPTABLE_SVG_PROPERTIES = Set.new %w[fill fill-opacity fill-rule stroke
@@ -155,6 +157,7 @@
       ALLOWED_ATTRIBUTES = ACCEPTABLE_ATTRIBUTES + MATHML_ATTRIBUTES + 
SVG_ATTRIBUTES
       ALLOWED_CSS_PROPERTIES = ACCEPTABLE_CSS_PROPERTIES
       ALLOWED_CSS_KEYWORDS = ACCEPTABLE_CSS_KEYWORDS
+      ALLOWED_CSS_FUNCTIONS = ACCEPTABLE_CSS_FUNCTIONS
       ALLOWED_SVG_PROPERTIES = ACCEPTABLE_SVG_PROPERTIES
       ALLOWED_PROTOCOLS = ACCEPTABLE_PROTOCOLS
       ALLOWED_URI_DATA_MEDIATYPES = ACCEPTABLE_URI_DATA_MEDIATYPES
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/loofah/scrubbers.rb new/lib/loofah/scrubbers.rb
--- old/lib/loofah/scrubbers.rb 2017-09-25 03:11:14.000000000 +0200
+++ new/lib/loofah/scrubbers.rb 2018-02-11 23:23:01.000000000 +0100
@@ -99,7 +99,12 @@
 
       def scrub(node)
         return CONTINUE if html5lib_sanitize(node) == CONTINUE
-        node.before node.children
+        if node.children.length == 1 && node.children.first.cdata?
+          sanitized_text = 
Loofah.fragment(node.children.first.to_html).scrub!(:strip).to_html
+          node.before Nokogiri::XML::Text.new(sanitized_text, node.document)
+        else
+          node.before node.children
+        end
         node.remove
       end
     end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/loofah.rb new/lib/loofah.rb
--- old/lib/loofah.rb   2017-09-25 03:11:14.000000000 +0200
+++ new/lib/loofah.rb   2018-02-11 23:23:01.000000000 +0100
@@ -27,7 +27,7 @@
 #
 module Loofah
   # The version of Loofah you are using
-  VERSION = '2.1.1'
+  VERSION = '2.2.0'
 
   class << self
     # Shortcut for Loofah::HTML::Document.parse
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata        2017-09-25 03:11:14.000000000 +0200
+++ new/metadata        2018-02-11 23:23:01.000000000 +0100
@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: loofah
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.2.0
 platform: ruby
 authors:
 - Mike Dalessio
@@ -9,7 +9,7 @@
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-09-25 00:00:00.000000000 Z
+date: 2018-02-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -157,14 +157,14 @@
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.14.0
+        version: 0.15.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.14.0
+        version: 0.15.0
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -193,19 +193,7 @@
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.16'
-description: |-
-  Loofah is a general library for manipulating and transforming HTML/XML
-  documents and fragments. It's built on top of Nokogiri and libxml2, so
-  it's fast and has a nice API.
-
-  Loofah excels at HTML sanitization (XSS prevention). It includes some
-  nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
-  most likely won't make your codes less secure. (These statements have
-  not been evaluated by Netexperts.)
-
-  ActiveRecord extensions for sanitization are available in the
-  `loofah-activerecord` gem (see
-  https://github.com/flavorjones/loofah-activerecord).
+description: ''
 email:
 - mike.dales...@gmail.com
 - br...@brynary.com
@@ -215,14 +203,14 @@
 - CHANGELOG.md
 - MIT-LICENSE.txt
 - Manifest.txt
-- README.rdoc
+- README.md
 files:
 - ".gemtest"
 - CHANGELOG.md
 - Gemfile
 - MIT-LICENSE.txt
 - Manifest.txt
-- README.rdoc
+- README.md
 - Rakefile
 - benchmark/benchmark.rb
 - benchmark/fragment.html
@@ -254,7 +242,7 @@
 - test/unit/test_helpers.rb
 - test/unit/test_scrubber.rb
 - test/unit/test_scrubbers.rb
-homepage: https://github.com/flavorjones/loofah
+homepage: 
 licenses:
 - MIT
 metadata: {}
@@ -279,6 +267,5 @@
 rubygems_version: 2.6.12
 signing_key: 
 specification_version: 4
-summary: Loofah is a general library for manipulating and transforming 
HTML/XML documents
-  and fragments
+summary: ''
 test_files: []
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/test/html5/test_sanitizer.rb 
new/test/html5/test_sanitizer.rb
--- old/test/html5/test_sanitizer.rb    2017-09-25 03:11:14.000000000 +0200
+++ new/test/html5/test_sanitizer.rb    2018-02-11 23:23:01.000000000 +0100
@@ -20,9 +20,9 @@
   def check_sanitization(input, htmloutput, xhtmloutput, rexmloutput)
     ##  libxml uses double-quotes, so let's swappo-boppo our quotes before 
comparing.
     sane = sanitize_html(input).gsub('"',"'")
-    htmloutput.gsub!('"',"'")
-    xhtmloutput.gsub!('"',"'")
-    rexmloutput.gsub!('"',"'")
+    htmloutput = htmloutput.gsub('"',"'")
+    xhtmloutput = xhtmloutput.gsub('"',"'")
+    rexmloutput = rexmloutput.gsub('"',"'")
 
     ##  HTML5's parsers are shit. there's so much inconsistency with what has 
closing tags, etc, that
     ##  it would require a lot of manual hacking to make the tests match 
libxml's output.
@@ -136,7 +136,7 @@
       check_sanitization(input, output, output, output)
     end
   end
-  
+
   HTML5::WhiteList::ALLOWED_URI_DATA_MEDIATYPES.each do |data_uri_type|
     define_method "test_should_allow_data_#{data_uri_type}_uris" do
       input = %(<a href="data:#{data_uri_type}">foo</a>)
@@ -275,6 +275,38 @@
     assert_match %r/-0.05em/, sane.inner_html
   end
 
+  def test_css_function_sanitization_leaves_whitelisted_functions_calc
+    html = "<span style=\"width:calc(5%)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/calc\(5%\)/, sane.inner_html
+
+    html = "<span style=\"width: calc(5%)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/calc\(5%\)/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_leaves_whitelisted_functions_rgb
+    html = '<span style="color: rgb(255, 0, 0)">'
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/rgb\(255, 0, 0\)/, sane.inner_html
+  end
+
+  def test_css_function_sanitization_leaves_whitelisted_list_style_type
+    html = "<ol style='list-style-type:lower-greek;'></ol>"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/list-style-type:lower-greek/, sane.inner_html
+  end
+
+  def 
test_css_function_sanitization_strips_style_attributes_with_unsafe_functions
+    html = "<span style=\"width:attr(data-evil-attr)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/<span><\/span>/, sane.inner_html
+
+    html = "<span style=\"width: attr(data-evil-attr)\">"
+    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :strip).to_html)
+    assert_match %r/<span><\/span>/, sane.inner_html
+  end
+
   def test_issue_90_slow_regex
     skip("timing tests are hard to make pass and have little 
regression-testing value")
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/test/integration/test_ad_hoc.rb 
new/test/integration/test_ad_hoc.rb
--- old/test/integration/test_ad_hoc.rb 2017-09-25 03:11:14.000000000 +0200
+++ new/test/integration/test_ad_hoc.rb 2018-02-11 23:23:01.000000000 +0100
@@ -16,66 +16,67 @@
     end
   end
 
-  def test_removal_of_illegal_tag
-    html = <<-HTML
+  context "tests" do
+    def test_removal_of_illegal_tag
+      html = <<-HTML
       following this there should be no jim tag
       <jim>jim</jim>
       was there?
     HTML
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    assert sane.xpath("//jim").empty?
-  end
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+      assert sane.xpath("//jim").empty?
+    end
 
-  def test_removal_of_illegal_attribute
-    html = "<p class=bar foo=bar abbr=bar />"
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    node = sane.xpath("//p").first
-    assert node.attributes['class']
-    assert node.attributes['abbr']
-    assert_nil node.attributes['foo']
-  end
+    def test_removal_of_illegal_attribute
+      html = "<p class=bar foo=bar abbr=bar />"
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+      node = sane.xpath("//p").first
+      assert node.attributes['class']
+      assert node.attributes['abbr']
+      assert_nil node.attributes['foo']
+    end
 
-  def test_removal_of_illegal_url_in_href
-    html = <<-HTML
+    def test_removal_of_illegal_url_in_href
+      html = <<-HTML
       <a href='jimbo://jim.jim/'>this link should have its href removed 
because of illegal url</a>
       <a href='http://jim.jim/'>this link should be fine</a>
     HTML
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    nodes = sane.xpath("//a")
-    assert_nil nodes.first.attributes['href']
-    assert nodes.last.attributes['href']
-  end
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+      nodes = sane.xpath("//a")
+      assert_nil nodes.first.attributes['href']
+      assert nodes.last.attributes['href']
+    end
 
-  def test_css_sanitization
-    html = "<p style='background-color: url(\"http://foo.com/\";) ; 
background-color: #000 ;' />"
-    sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
-    assert_match %r/#000/,    sane.inner_html
-    refute_match %r/foo\.com/, sane.inner_html
-  end
+    def test_css_sanitization
+      html = "<p style='background-color: url(\"http://foo.com/\";) ; 
background-color: #000 ;' />"
+      sane = Nokogiri::HTML(Loofah.scrub_fragment(html, :escape).to_xml)
+      assert_match %r/#000/,    sane.inner_html
+      refute_match %r/foo\.com/, sane.inner_html
+    end
 
-  def test_fragment_with_no_tags
-    assert_equal "This fragment has no tags.", Loofah.scrub_fragment("This 
fragment has no tags.", :escape).to_xml
-  end
+    def test_fragment_with_no_tags
+      assert_equal "This fragment has no tags.", Loofah.scrub_fragment("This 
fragment has no tags.", :escape).to_xml
+    end
 
-  def test_fragment_in_p_tag
-    assert_equal "<p>This fragment is in a p.</p>", 
Loofah.scrub_fragment("<p>This fragment is in a p.</p>", :escape).to_xml
-  end
+    def test_fragment_in_p_tag
+      assert_equal "<p>This fragment is in a p.</p>", 
Loofah.scrub_fragment("<p>This fragment is in a p.</p>", :escape).to_xml
+    end
 
-  def test_fragment_in_p_tag_plus_stuff
-    assert_equal "<p>This fragment is in a p.</p>foo<strong>bar</strong>", 
Loofah.scrub_fragment("<p>This fragment is in a p.</p>foo<strong>bar</strong>", 
:escape).to_xml
-  end
+    def test_fragment_in_p_tag_plus_stuff
+      assert_equal "<p>This fragment is in a p.</p>foo<strong>bar</strong>", 
Loofah.scrub_fragment("<p>This fragment is in a p.</p>foo<strong>bar</strong>", 
:escape).to_xml
+    end
 
-  def test_fragment_with_text_nodes_leading_and_trailing
-    assert_equal "text<p>fragment</p>text", 
Loofah.scrub_fragment("text<p>fragment</p>text", :escape).to_xml
-  end
+    def test_fragment_with_text_nodes_leading_and_trailing
+      assert_equal "text<p>fragment</p>text", 
Loofah.scrub_fragment("text<p>fragment</p>text", :escape).to_xml
+    end
 
-  def test_whitewash_on_fragment
-    html = "safe<frameset rows=\"*\"><frame 
src=\"http://example.com\";></frameset> <b>description</b>"
-    whitewashed = Loofah.scrub_document(html, 
:whitewash).xpath("/html/body/*").to_s
-    assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","")
-  end
+    def test_whitewash_on_fragment
+      html = "safe<frameset rows=\"*\"><frame 
src=\"http://example.com\";></frameset> <b>description</b>"
+      whitewashed = Loofah.scrub_document(html, 
:whitewash).xpath("/html/body/*").to_s
+      assert_equal "<p>safe</p><b>description</b>", whitewashed.gsub("\n","")
+    end
 
-  MSWORD_HTML = <<-EOHTML
+    MSWORD_HTML = <<-EOHTML
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta 
name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft 
Word 11"><meta name="Originator" content="Microsoft Word 11"><link 
rel="File-List" 
href="file:///C:%5CDOCUME%7E1%5CNICOLE%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><!--[if
 gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
@@ -141,36 +142,52 @@
 <p class="MsoNormal">Foo <b style="">BOLD<o:p></o:p></b></p>
   EOHTML
 
-  def test_fragment_whitewash_on_microsofty_markup
-    whitewashed = Loofah.fragment(MSWORD_HTML).scrub!(:whitewash)
-    assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s.strip
-  end
+    def test_fragment_whitewash_on_microsofty_markup
+      whitewashed = Loofah.fragment(MSWORD_HTML).scrub!(:whitewash)
+      assert_equal "<p>Foo <b>BOLD</b></p>", whitewashed.to_s.strip
+    end
 
-  def test_document_whitewash_on_microsofty_markup
-    whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash)
-    assert_match %r(<p>Foo <b>BOLD</b></p>), whitewashed.to_s
-    assert_equal "<p>Foo <b>BOLD</b></p>",   
whitewashed.xpath("/html/body/*").to_s
-  end
+    def test_document_whitewash_on_microsofty_markup
+      whitewashed = Loofah.document(MSWORD_HTML).scrub!(:whitewash)
+      assert_match %r(<p>Foo <b>BOLD</b></p>), whitewashed.to_s
+      assert_equal "<p>Foo <b>BOLD</b></p>",   
whitewashed.xpath("/html/body/*").to_s
+    end
 
-  def test_return_empty_string_when_nothing_left
-    assert_equal "", Loofah.scrub_document('<script>test</script>', 
:prune).text
-  end
+    def test_return_empty_string_when_nothing_left
+      assert_equal "", Loofah.scrub_document('<script>test</script>', 
:prune).text
+    end
+
+    def test_nested_script_cdata_tags_should_be_scrubbed
+      html = "<script><script src='malicious.js'></script>"
+      stripped = Loofah.fragment(html).scrub!(:strip)
+      assert_empty stripped.xpath("//script")
+      refute_match("<script", stripped.to_html)
+    end
 
-  def test_removal_of_all_tags
-    html = <<-HTML
+    def test_nested_script_cdata_tags_should_be_scrubbed_2
+      html = "<script><script>alert('a');</script></script>"
+      stripped = Loofah.fragment(html).scrub!(:strip)
+      assert_empty stripped.xpath("//script")
+      refute_match("<script", stripped.to_html)
+    end
+
+    def test_removal_of_all_tags
+      html = <<-HTML
       What's up <strong>doc</strong>?
     HTML
-    stripped = Loofah.scrub_document(html, :prune).text
-    assert_equal %Q(What\'s up doc?).strip, stripped.strip
-  end
+      stripped = Loofah.scrub_document(html, :prune).text
+      assert_equal %Q(What\'s up doc?).strip, stripped.strip
+    end
 
-  def test_dont_remove_whitespace
-    html = "Foo\nBar"
-    assert_equal html, Loofah.scrub_document(html, :prune).text
-  end
+    def test_dont_remove_whitespace
+      html = "Foo\nBar"
+      assert_equal html, Loofah.scrub_document(html, :prune).text
+    end
 
-  def test_dont_remove_whitespace_between_tags
-    html = "<p>Foo</p>\n<p>Bar</p>"
-    assert_equal "Foo\nBar", Loofah.scrub_document(html, :prune).text
+    def test_dont_remove_whitespace_between_tags
+      html = "<p>Foo</p>\n<p>Bar</p>"
+      assert_equal "Foo\nBar", Loofah.scrub_document(html, :prune).text
+    end
   end
 end
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/test/integration/test_html.rb 
new/test/integration/test_html.rb
--- old/test/integration/test_html.rb   2017-09-25 03:11:14.000000000 +0200
+++ new/test/integration/test_html.rb   2018-02-11 23:23:01.000000000 +0100
@@ -19,11 +19,16 @@
     end
 
     context "#to_text" do
-      it "add newlines before and after block elements" do
+      it "add newlines before and after html4 block elements" do
         html = Loofah.fragment 
"<div>tweedle<h1>beetle</h1>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
         assert_equal 
"\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
       end
 
+      it "add newlines before and after html5 block elements" do
+        html = Loofah.fragment 
"<div>tweedle<section>beetle</section>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
+        assert_equal 
"\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
+      end
+
       it "remove extraneous whitespace" do
         html = Loofah.fragment "<div>tweedle\n\n\t\n\s\nbeetle</div>"
         assert_equal "\ntweedle\n\nbeetle\n", html.to_text
@@ -47,11 +52,16 @@
     end
 
     context "#to_text" do
-      it "add newlines before and after block elements" do
+      it "add newlines before and after html4 block elements" do
         html = Loofah.document 
"<div>tweedle<h1>beetle</h1>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
         assert_equal 
"\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
       end
 
+      it "add newlines before and after html5 block elements" do
+        html = Loofah.document 
"<div>tweedle<section>beetle</section>bottle<span>puddle</span>paddle<div>battle</div>muddle</div>"
+        assert_equal 
"\ntweedle\nbeetle\nbottlepuddlepaddle\nbattle\nmuddle\n", html.to_text
+      end
+
       it "remove extraneous whitespace" do
         html = Loofah.document "<div>tweedle\n\n\t\n\s\nbeetle</div>"
         assert_equal "\ntweedle\n\nbeetle\n", html.to_text


Reply via email to